With the development of the information society, importance of an information security technology for protecting information in security has been increased. Cryptography is one constituent element of the information security technology, and the cryptography is currently used in various products and systems.
For example, communication is actively performed through a network such as the Internet, and various devices such as a PC, a mobile phone, an RFID, and various sensors are connected to the network for communication. In such an environment, it is essential to use the information security technology for realizing a network society that increases convenience while protecting individual privacy, and the cryptography capable of increasing security and performing a process at a high speed is required.
A system of which a server collects, for example, information transmitted from a terminal owned by an individual or information acquired through a sensor installed in a house, and which performs various data processes or analysis with respect to the information collected by the sensor has been used.
Specifically, there are, for example, a system which manages power consumption by disposing a sensor in a house or an office, a service used for health and safety management by disposing a sensor in a house of an aged person living alone, a transportation system used for traffic congestion detection and alleviation by a sensor disposed at a road or in a car, and the like.
In many cases, the data collected in such a system includes information regarding individual privacy, and it is desirable to encrypt the data in order to protect the privacy. However, hardware in which a cryptographic algorithm of the related art is installed, is not a lightweight cryptographic algorithm designed for small hardware installation, has a large module scale and is difficult to be mounted on a small-sized device such as an RFID or a sensor, for example. In addition, it is difficult to realize the device at low cost, power consumption is great, and a frequency of battery exchange increases, and therefore there are many problems from the viewpoint of operability.
Meanwhile, there is an increasing requirement for lightweight cryptography suitable for hardware installation to a device with limited hardware scale or resources of a memory, or a device in which energy saving is required.
Research and development of the lightweight cryptography is in progress in response to such needs, and recently, several new lightweight block cryptographies which are excellent from a viewpoint of small hardware installation are proposed. There are PRESENT, CLEFIA, KATAN, Piccolo, and the like, as representative examples.
With this, international standardization of the lightweight cryptography has progressed, and standardization of an international standard of lightweight cryptography ISO/IEC 29192 has progressed in a committee ISO/IEC JTC 1/SC 27 for performing international standardization of the information security technology, in a joint technical committee of International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Many examples of the lightweight block cryptogram which is one of the lightweight cryptography are optimal for small hardware installation.
That is, in order to realize a small size at the time of hardware installation, many examples of the lightweight block cryptogram are designed with a structure in which a plurality of small S-boxes with four bits and “light” round functions frequently used with a bit operation are repeated.
This structure of the lightweight cryptogram cannot take advantage of a general-purpose processer which continues to be developed, and a problem of a low speed generally occurs in software installation in the PC or the server.
As one example of a process of software installation in the PC or the server, cloud computing using a device connected to the network may be used, but a cross-virtual machine (VM) side-channel attack may also present a threat to the cloud [NPL 1]. The cloud may have a multi-tenant system in which a plurality of users share one server, and virtual machines VM of the users are separated from each other, but a physical device such as a memory or a cache is shared. The cross-VM side-channel attack is an attack where a cache is continuously attacked by a “malicious VM” which shares a set associative cache and a key is extracted by detecting an access by another VM by a delayed reaction of the cache. As described above, when performing the cryptographic process on the cloud in a state of the software installation, resistance with respect to such a side-channel attack is also the object of the disclosure.